Yesterday I installed DenyHosts on my Linux box. This is an interesting program – it’s a Python program that scans your system logs and looks for repeated failed login attempts and then it adds those IP addresses to your hosts.deny file so script kiddies can’t even open a connection. You can run it from the command-line or you can set it up to run as a daemon so that it can do its work automatically, in real-time. Pretty neat. Sounds like it could possibly be an interesting feature addition to OpenSSH.
It was interesting to look at my logs and see that people were in fact trying to do dictionary attacks. Kind of alarming actually. So I took the opportunity to tighten things up a bit. I opened up /etc/ssh/sshd_config and:
- Turned off
PasswordAuthenticationso that an RSA key (which is of course way harder to guess than a password) is required. - Turned off
PermitRootLogin - Changed from the default port of 22 to something else. Yeah, determined hackers would do a port scan to find the sshd, but this easy measure can still deter a lot of kiddies.
In retrospect, I tend to log into my box from only a small number of hosts, all with static IPs and I don’t do any serving from that box since I have a web host for that (the excellent DreamHost). I am going to get rid of DenyHosts and simply add a deny all rule and a few exceptions for the hosts that I use (see the man page for “hosts_access”).
DenyHosts seems like it could be very useful though for folks who run servers that need to be open to the public.
I’ve never played with it, but setting up port knocking sounds like a neat way to deter the script kiddies as well.
That’s what we’ve done at our office too: closed up SSH to accept only keyed-logins, disallowed root logins (sudo rules), and filtered most subnets with iptables. I was looking at DenyHosts at one point, but it was really suited more for hosts that want to stick to password logins.